IBM SAN卷控制器

IBM QRadar DSM IBM® SAN 卷控制器从 IBM SAN 卷控制器收集事件。

重要信息: 此 DSM 仅支持云审计数据联合 (CADF) 事件格式，其中包括与来自 IBM SAN Volume Controller 的云帐户的创建，更新，除去和云备份活动事件相关的监视和保护。

下表描述了 IBM SAN Volume Controller DSM 的规范:

表 1. IBM SAN Volume Controller DSM 规范
规范	值
制造商	IBM
DSM 名称	IBM SAN卷控制器
RPM 文件名	DSM-IBMSANVolumeController-`QRadar_version-build_number`.noarch.rpm
受支持的版本	不适用
协议	Syslog
事件格式	CADF
记录的事件类型	活动，控制和监视审计事件
自动发现?	是
包含身份?	否
是否包含定制属性?	否
更多信息	IBM SAN Volume Controller Web 站点 (http://www-03.ibm.com/systems/storage/software/virtualization/svc/)

要将 IBM SAN Volume Controller 与 QRadar集成，请完成以下步骤:

如果未启用自动更新，请从 IBM 支持 Web 站点按列示顺序在 QRadar Console上下载并安装以下 RPM 的最新版本:
- DSMCommon RPM
- IBM SAN卷控制器DSM RPM
配置 IBM SAN Volume Controller 服务器以将系统日志事件发送到 QRadar。

如果 QRadar 未自动检测日志源，请在 QRadar Console上添加 IBM SAN Volume Controller 日志源。下表描述了需要 IBM SAN Volume Controller 事件集合的特定值的参数:

表 2. IBM SAN Volume Controller 日志源参数
参数	值
日志源类型	IBM SAN卷控制器
协议配置	Syslog
日志源标识	IBM SAN Volume Controller 服务器的 IP 地址或主机名。

要验证是否正确配置了 QRadar ，请查看下表以查看已解析事件消息的示例。

重要信息: 由于格式化问题，请将消息格式粘贴到文本编辑器中，然后除去任何回车符或换行符。

下表显示了 IBM SAN Volume Controller 的样本事件消息:

事件名称低级类别样本日志消息

备份成功

备份活动成功

表 3. IBM SAN Volume Controller 样本消息
事件名称	低级类别	样本日志消息
备份成功	备份活动成功	Oct 12 20:02:33 Cluster_<IP_address> IBM2145: {"typeURI": "http://example.com/cloud/audit/1.0/event","eventTime": "2016-10-12T20:02:30.000000+0000","target": {"typeURI": "service/storage/object","id": "0","name": "username"},"observer": {"typeURI": "service/network/cluster/logger","id": "10032004394","name": "username"},"tags": ["Backup"],"eventType": "activity","measurements": [{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Time/0000000000/000/0","name": "Time of backup being copied or restored","unit": "YYMMDDHHMMSS"},"result": "2016/10/12/20/02/30"},{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Generation_Number/0000000000/000/0","name": "Volume backup generation number","unit": "Natural Number"},"result": "1"}],"initiator": {"typeURI": "service/network/node","host": {"address": "<IP_address>"},"attachments": [{"content":"6005076400C8010E5000000000000000","typeURI": "text/plain","name": "volume_uuid"}],"name": "username","id": "1"},"reason": {"reasonCode": "200","reasonType": "http://www.example.com/assignments/http-status-codes/http-status-codes.xml"},"action": "backup","outcome": "success","id": "xxxxxxxxxxx-xxxxxxxxxx-xxx"}

Oct 12 20:02:33 Cluster_<IP_address> IBM2145: {"typeURI": "http://example.com/cloud/audit/1.0/event","eventTime": "2016-10-12T20:02:30.000000+0000","target": {"typeURI": "service/storage/object","id": "0","name": "username"},"observer": {"typeURI": "service/network/cluster/logger","id": "10032004394","name": "username"},"tags": ["Backup"],"eventType": "activity","measurements": [{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Time/0000000000/000/0","name": "Time of backup being copied or restored","unit": "YYMMDDHHMMSS"},"result": "2016/10/12/20/02/30"},{"metric": {"metricId": "www.example.com/svc/Cloud/Backup_Generation_Number/0000000000/000/0","name": "Volume backup generation number","unit": "Natural Number"},"result": "1"}],"initiator": {"typeURI": "service/network/node","host": {"address": "<IP_address>"},"attachments": [{"content":"6005076400C8010E5000000000000000","typeURI": "text/plain","name": "volume_uuid"}],"name": "username","id": "1"},"reason": {"reasonCode": "200","reasonType": "http://www.example.com/assignments/http-status-codes/http-status-codes.xml"},"action": "backup","outcome": "success","id": "xxxxxxxxxxx-xxxxxxxxxx-xxx"}